← Back to team overview

yahoo-eng-team team mailing list archive

[Bug 1604479] Re: tenantId/default_project_id missing on Keystone service user in Mitaka

 

Closing this because of inactivity.

** Changed in: puppet-keystone
     Assignee: Kam Nasim (knasim-wrs) => (unassigned)

** Changed in: keystone
     Assignee: Kam Nasim (knasim-wrs) => (unassigned)

** Changed in: puppet-keystone
       Status: New => Invalid

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1604479

Title:
  tenantId/default_project_id missing on Keystone service user in Mitaka

Status in OpenStack Identity (keystone):
  Invalid
Status in puppet-keystone:
  Invalid

Bug description:
  On upgrading to Mitaka, we saw that the user ref in Keystone does not have a tenantId or default_project_id field. This breaks:
  1) The Detailed view in Horizon in the Identity pane where ProjectID is shown as "None"
  2) any services project based RBAC policies that we have in place.

  Noticed a new local_user DB table for all the services users (no project/tenantId field in here):
  keystone=# select * from local_user;
   id |             user_id              | domain_id |    name
  ----+----------------------------------+-----------+------------
    1 | 3c1bd8c0f6324dcc938900d8eb801aa5 | default   | admin
    2 | d1c4f7a244f74892b612b9b2ded6d602 | default   | neutron
    3 | a481a1f43ec0463083b7a30d20493d38 | default   | nova
    4 | 951068b3372f47ac827ade8f67cc19b4 | default   | glance
    6 | 4b76763e375946998445b65b11c8db73 | default   | ceilometer
    7 | 15c8e1e463cc4370ad369eaf8504b727 | default   | cinder
    8 | 5c3ea23eb8e14070bc562951bb266073 | default   | sysinv
    9 | 2b62ced877244e74ba90b546225740d0 | default   | heat
   10 | 5a506282b45c4064b262f3f414f1f699 | default   | kam
  (9 rows)

  
  Note that an admin role is assigned for these services users in the services project. It is just not present within the user reference or keystone user-get:

  $ keystone user-role-list

  +----------------------------------+-------+----------------------------------+----------------------------------+
  |                id                |  name |             user_id              |            tenant_id             |
  +----------------------------------+-------+----------------------------------+----------------------------------+
  | f9985117736b4684904b4eb55476f30a | admin | a481a1f43ec0463083b7a30d20493d38 | c211dda10c9a4b2db16f239dccf65acd |
  +----------------------------------+-------+----------------------------------+----------------------------------+

  $ keystone user-get

  +----------+----------------------------------+
  | Property |              Value               |
  +----------+----------------------------------+
  |  email   |          nova@localhost          |
  | enabled  |               True               |
  |    id    | a481a1f43ec0463083b7a30d20493d38 |
  |   name   |               nova               |
  | username |               nova               |
  +----------+----------------------------------+

  
  Contrast this to Kilo/Liberty where tenantId is visible within user reference:

  
  $ keystone user-get b7a3bcd588b5482ab9741efcf3f9bb33

  +----------+----------------------------------+
  | Property |              Value               |
  +----------+----------------------------------+
  |  email   |          nova@localhost          |
  | enabled  |               True               |
  |    id    | b7a3bcd588b5482ab9741efcf3f9bb33 |
  |   name   |               nova               |
  | tenantId | 2e4a21e1a37840879321320107c74f86 | <<<<<<<<<<<<<<<<<<<<<<<<<<
  | username |               nova               |
  +----------+----------------------------------+

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1604479/+subscriptions



References